#!/bin/bash
# nginxchroot generate script

export NGINXCHROOT=/srv/nginxchroot
export USER=http
export GROUP=http

mkdir -p $NGINXCHROOT
mkdir -p $NGINXCHROOT/dev
mkdir -p $NGINXCHROOT/etc
mkdir -p $NGINXCHROOT/usr/lib
mkdir -p $NGINXCHROOT/usr/lib64
mkdir -p $NGINXCHROOT/usr/sbin
mkdir -p $NGINXCHROOT/usr/share/nginx
mkdir -p $NGINXCHROOT/tmp
mkdir -p $NGINXCHROOT/var/run
mkdir -p $NGINXCHROOT/var/lib/nginx
mkdir -p $NGINXCHROOT/var/log/nginx
mkdir -p $NGINXCHROOT/www

mount -t tmpfs none $NGINXCHROOT/var/run -o 'noexec,size=1M'
mount -t tmpfs none $NGINXCHROOT/tmp -o 'noexec,size=100M'

echo "tmpfs   $NGINXCHROOT/run   tmpfs   rw,noexec,relatime,size=1024k   0       0" > $NGINXCHROOT/etc/fstab
echo "tmpfs   $NGINXCHROOT/tmp   tmpfs   rw,noexec,relatime,size=102400k 0       0" >> $NGINXCHROOT/etc/fstab

cp -r /usr/share/nginx/* $NGINXCHROOT/usr/share/nginx/
cp -r /usr/share/nginx/html/* $NGINXCHROOT/www
cp /usr/sbin/nginx $NGINXCHROOT/usr/sbin/
cp -r /var/lib/nginx $NGINXCHROOT/var/lib/
cp -r /etc/nginx $NGINXCHROOT/etc/
cp /usr/libexec/nginx-hardened-scripts/nginx.conf $NGINXCHROOT/etc/nginx/

mkdir -p $NGINXCHROOT/etc/nginx/conf.d
mkdir -p $NGINXCHROOT/etc/nginx/sites-enabled

cp /usr/libexec/nginx-hardened-scripts/example.conf $NGINXCHROOT/etc/nginx/conf.d/
cd $NGINXCHROOT; ln -L etc/nginx/conf.d/example.conf etc/nginx/sites-enabled/

mknod -m 644 $NGINXCHROOT/dev/random c 1 8
mknod -m 644 $NGINXCHROOT/dev/urandom c 1 9
mknod -m 666 $NGINXCHROOT/dev/null c 1 3

cd $NGINXCHROOT; ln -s usr/lib lib
cd $NGINXCHROOT; ln -s usr/lib64 lib64

cp $(ldd /usr/sbin/nginx | grep /usr/lib/ | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $NGINXCHROOT/usr/lib
cp /usr/lib/libnss_* $NGINXCHROOT/usr/lib/
cp /lib64/ld-linux-x86-64.so.2 $NGINXCHROOT/usr/lib64/
cp /lib/libdl.so.2 $NGINXCHROOT/usr/lib/
cp /lib/libpthread.so.0 $NGINXCHROOT/usr/lib/
cp /lib/libcrypt.so.1 $NGINXCHROOT/usr/lib/
cp /lib/libpcre.so.1 $NGINXCHROOT/usr/lib/
cp /lib/libz.so.1 $NGINXCHROOT/usr/lib/
cp /lib/libc.so.6 $NGINXCHROOT/usr/lib/
cp /lib/libresolv.so.2 $NGINXCHROOT/usr/lib/

# /etc{adjtime,hosts.deny} might also be needed.
cp -Lrfv /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $NGINXCHROOT/etc

echo 'http:x:33:' > $NGINXCHROOT/etc/group
echo 'nobody:x:99:' >> $NGINXCHROOT/etc/group

echo 'http:x:33:33:http:/:/bin/false' > $NGINXCHROOT/etc/passwd
echo 'nobody:x:99:99:nobody:/:/bin/false' >> $NGINXCHROOT/etc/passwd

echo 'http:x:14871::::::' > $NGINXCHROOT/etc/shadow
echo 'nobody:x:14871::::::' >> $NGINXCHROOT/etc/shadow

echo 'http:::' > $NGINXCHROOT/etc/gshadow
echo 'nobody:::' >> $NGINXCHROOT/etc/gshadow

touch $NGINXCHROOT/etc/shells
touch $NGINXCHROOT/var/run/nginx.pid

chown -R root:root $NGINXCHROOT/
chown -R $USER:$GROUP $NGINXCHROOT/www
chown -R $USER:$GROUP $NGINXCHROOT/etc/nginx
chown -R $USER:$GROUP $NGINXCHROOT/var/{log,lib}/nginx
chown $USER:$GROUP $NGINXCHROOT/var/run/nginx.pid

#find $NGINXCHROOT/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
#find $NGINXCHROOT/ -gid 0 -uid 0 -type d -print | xargs chmod +x
#find $NGINXCHROOT/ -gid 0 -uid 0 -type f -print | xargs chmod -x
#find $NGINXCHROOT/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
#find $NGINXCHROOT/usr/lib -gid 0 -uid 0 -type f -print | xargs chmod -x
#find $NGINXCHROOT/usr/sbin -type f -print | xargs chmod ug+rx
#find $NGINXCHROOT/ -gid 33 -uid 33 -print | xargs chmod o-rwx
chmod +rw $NGINXCHROOT/tmp
chmod +rw $NGINXCHROOT/var/run

setcap 'cap_net_bind_service=+ep' $NGINXCHROOT/usr/sbin/nginx
